[Chugalug] penetrate me!

William Roush william.roush at roushtech.net
Thu Mar 27 16:27:35 UTC 2014


It was in our primary product, a secondary product they hemmed and hawed 
over something that /seemed/ insecure at first glance because "well I 
can change record IDs" that was secured by access controls and he didn't 
bother to try accessing any documents he didn't have permission to see.

Mainly what we got out of them was "security through obscurity will 
trick me".

:|

William Roush
william.roush at roushtech.net
423-463-0592

http://www.roushtech.net/blog/


On 3/27/2014 10:27 AM, AverageSecurityGuy wrote:
> Some pentesters are full of $hit and some are really good. If they missed exploits that are easily found with Nessus/Nmap/Metasploit then there is a problem. If they missed an exploit in an obscure system it may be they didn't have enough time to test that system. Either way, you need to have honest conversations with your pentester and if there are systems you are particularly worried about then tell them so they can focus on those areas.
>
> --
> Stephen Haywood
> Owner, ASG Consulting
> CISSP, OSCP
> 423.305.3700
> asgconsulting.co
>
>
>
> On Mar 27, 2014, at 1:02 AM, William Roush <william.roush at roushtech.net> wrote:
>
>> I've dealt with pentesters before, it's kind of aggravating when I have working exploits they don't find and we're forking over tons of money for them to go on some tangent that results in nothing... :\
>>
>> Though I as I understand it the market is going the way of SEO and the like, once valid, now full of a lot of people that barely know how to do it and will just run the same tools you found and charge you insane amounts of money for it.
>>
>> Your client will probably want someone that can rubber stamp a pen test on you, so sadly it'll take more than someone that just knows security but can give you the paperwork to back it up and a company name.
>>
>> William Roush
>>
>> william.roush at roushtech.net
>>
>> 423-463-0592
>>
>>
>> http://www.roushtech.net/blog/
>>
>>
>>
>>
>> On 3/27/2014 12:58 AM, Ed King wrote:
>>> Our "network administrator" at the main office quit over a year ago and a replacement was never hired.
>>> http://www.linkedin.com/pub/christopher-silver/7/6a8/341
>>>
>>> Our "network administrator" at our "NOC" quit over a year ago and never got replaced.
>>> www.linkedin.com/in/mlaman
>>>
>>> Our "phone system guy" quit a year ago, a replacement was hired, but I've seen him, like, once.  When the phone/fax systems goes down, they call ME.
>>> http://www.linkedin.com/profile/view?id=49461976
>>>
>>> So guess what?  I and one of the other programmers on my team inherited all these extra support duties (without a single f'ing penny of a pay raise, mind you).
>>>
>>> We inherited hardware and software that hasn't been updated in years (insert career-damaging-but-painfully-true my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment here)
>>>
>>> We know basic firewall, iptables, am mindful of sql injection, can install/run/monitor virus scanners etc, but we are not security experts nor do we play one on t.v.
>>>
>>> If this situation wasn't stressful enough, it has now come to a boil as a potential (big!) client "demands" proof of pen testing before they will let us host their data.    At this point I'm spread way to thin and told my boss today that he needs to crack open that wallet and hire an outside pen tester.    Anyone on the list "qualified" to do it?    Willing to work for peanuts?
>>>
>>> What defines a qualified pen tester?  I see what appears to be "free" software I could download and run myself, if I was inclined to take on more responsibility w/o pay.    I suppose this free software would be a "good start" but is a pen test         done by an "internal" employee good enough for the client, I doubt it.
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Chugalug mailing list
>>>
>>> Chugalug at chugalug.org
>>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140327/10458c85/attachment.html>


More information about the Chugalug mailing list